Deep Dive into OpenStack Neutron: Networks, Subnets, and Plugins Explained

Tutorial RSH Network December 13, 2025 4 mins read

Explore OpenStack Neutron’s architecture, network types, subnet configuration, and plugin ecosystem to understand how networking works inside OpenStack clouds.

Deep Dive into OpenStack Neutron: Networks, Subnets, and Plugins Explained


πŸ“– Introduction

Networking is the backbone of any cloud platform, and in OpenStack, that responsibility lies with Neutron. OpenStack Neutron provides Networking-as-a-Service (NaaS), enabling tenants to create and manage virtual networks, subnets, routers, and advanced networking services.

This blog post takes a deep dive into Neutron, explaining how networks and subnets work, the different network types available, and how Neutron plugins and drivers extend functionality for real-world cloud deployments.


πŸ”§ What Is OpenStack Neutron?

OpenStack Neutron is the networking service of OpenStack. It allows users to:

  • Create isolated tenant networks

  • Assign IP addresses and subnets

  • Connect instances to internal and external networks

  • Integrate advanced networking features such as load balancers, firewalls, and VPNs

Neutron is designed to be modular and extensible, supporting multiple backend technologies.


🧩 Neutron Architecture Overview

At a high level, Neutron consists of:

  • Neutron Server (API)
    Handles API requests from users and other OpenStack services.

  • Neutron Plugins / ML2 Plugin
    Determines how networking is implemented on the backend.

  • Agents
    Run on controller and compute nodes to manage networking operations:

    • L2 Agent (Open vSwitch / Linux Bridge)

    • DHCP Agent

    • L3 Agent

    • Metadata Agent

  • Database
    Stores network, subnet, and port information.


🌐 Neutron Networks Explained

A network in Neutron is a logical layer-2 broadcast domain. Instances connected to the same network can communicate directly.

Types of Neutron Networks

1️⃣ Provider Networks

  • Directly map to physical networks

  • Common in enterprise and ISP clouds

  • Types:

    • Flat

    • VLAN

2️⃣ Tenant (Self-Service) Networks

  • Created by users

  • Isolated using overlay technologies

  • Common types:

    • VXLAN

    • GRE

3️⃣ External Networks

  • Provide access to outside networks (internet or data center)

  • Used for floating IPs and routers


πŸ“ Subnets in OpenStack Neutron

A subnet defines IP addressing within a network.

Each subnet includes:

  • CIDR (e.g., 192.168.1.0/24)

  • Gateway IP

  • DNS servers

  • Allocation pools

  • DHCP enable/disable

Example: Creating a Network and Subnet

 
openstack network create rsh-private-net openstack subnet create rsh-private-subnet \ --network rsh-private-net \ --subnet-range 192.168.10.0/24 \ --gateway 192.168.10.1 \ --dns-nameserver 8.8.8.8

πŸ”Œ Ports: Connecting Instances to Networks

A port represents a virtual NIC attached to a network.

Ports:

  • Are automatically created when launching instances

  • Can be manually created for advanced use cases

  • Carry MAC addresses, IP addresses, and security groups

 
openstack port list

🧠 Neutron Plugins and the ML2 Framework

Neutron uses plugins to support different networking technologies.

ML2 (Modular Layer 2) Plugin

ML2 is the most widely used Neutron plugin. It allows multiple network types and drivers to coexist.

ML2 Components:

  • Type Drivers

    • flat

    • vlan

    • vxlan

    • gre

  • Mechanism Drivers

    • Open vSwitch (OVS)

    • Linux Bridge

    • SR-IOV

    • OVN


βš™οΈ Popular Neutron Backend Technologies

Open vSwitch (OVS)

  • Most common backend

  • Flexible and well-supported

  • Ideal for VXLAN and VLAN networks

Linux Bridge

  • Simpler alternative to OVS

  • Easier to debug

  • Slightly less feature-rich

OVN (Open Virtual Network)

  • Modern SDN solution

  • Replaces traditional L2/L3 agents

  • Better scalability and performance


πŸ” Security Groups and Network Policies

Neutron integrates security at the network layer using:

  • Security Groups

    • Stateful firewall rules

    • Control inbound and outbound traffic

  • Port Security

    • MAC/IP spoofing protection

Example:

 
openstack security group rule create \ --proto tcp --dst-port 22 rsh-secgroup

🌍 Routing and External Connectivity

Neutron routers connect:

  • Tenant networks ↔ External networks

They enable:

  • North-South traffic

  • Floating IPs

  • SNAT/DNAT

 
openstack router create rsh-router openstack router add subnet rsh-router rsh-private-subnet openstack router set --external-gateway public-net rsh-router

πŸš€ Advanced Neutron Services

Neutron supports advanced services via extensions:

  • LBaaS / Octavia – Load Balancing

  • FWaaS – Firewall as a Service

  • VPNaaS – Site-to-Site VPN

  • QoS – Bandwidth control

These services are essential for production-grade clouds.


βœ… Why Neutron Matters in Real Deployments

  • Enables multi-tenant isolation

  • Supports hybrid and private clouds

  • Integrates with SDN and enterprise networks

  • Scales from small labs to large data centers


🏁 Conclusion

OpenStack Neutron is a powerful, flexible, and extensible networking service that makes OpenStack suitable for enterprise and service-provider environments. By understanding networks, subnets, and plugins, administrators gain full control over cloud connectivity, security, and performance.

Whether you’re building a lab, a private cloud, or a telecom-grade deployment, mastering Neutron is essential for OpenStack success.

Advertisement

R
RSH Network

39 posts published

Sign in to subscribe to blog updates